A ‘breakthrough’ of sorts in the UK – earlier this year the Information Commissioners Office in the UK was granted the power to fine organisations that failed to adequately protect customer data and where breaches took place. Two organisations, the Hertfordshire County Council and A4e, were given fines for breaches.
The Council was found to be guilty of sending sensitive information to the incorrect people via fax, which is human error – I wonder how many times this happens and goes unnoticed?
A4e suffered the more common fate of losing an unencrypted laptop with personal information of 24000 people, which is a failed operational control, and human error – why were the records on the laptop in the 1st place?
ComputerWeekly have a good review on the story:
The feeling is that while the fines are a good move, the amounts dont relate to the severity of the breaches. The fines were GBP100k and GBP60k which do seem more like a slap on the wrists. For me it is a good start although if investigations are not handled properly and companies feel they are fined unfairly, this may result in fewer companies disclosing data breach incidents.